diff options
| author | AnotherTest <ali.mpfard@gmail.com> | 2020-11-11 13:17:23 +0330 |
|---|---|---|
| committer | Andreas Kling <kling@serenityos.org> | 2020-11-14 10:18:54 +0100 |
| commit | d3c52cef86573f6845ba8e860da2c24831e89cde (patch) | |
| tree | d7e7d419905e76420b593d4de296edac94e5a14b | |
| parent | 2cc867bcbafb49aaa236521bf4b81d59500becca (diff) | |
| download | serenity-d3c52cef86573f6845ba8e860da2c24831e89cde.zip | |
LibCrypto: Implement GCM mode
| -rw-r--r-- | Libraries/LibCrypto/Authentication/GHash.cpp | 148 | ||||
| -rw-r--r-- | Libraries/LibCrypto/Authentication/GHash.h | 76 | ||||
| -rw-r--r-- | Libraries/LibCrypto/CMakeLists.txt | 1 | ||||
| -rw-r--r-- | Libraries/LibCrypto/Cipher/AES.h | 3 | ||||
| -rw-r--r-- | Libraries/LibCrypto/Cipher/Mode/GCM.h | 154 | ||||
| -rw-r--r-- | Userland/test-crypto.cpp | 275 |
6 files changed, 657 insertions, 0 deletions
diff --git a/Libraries/LibCrypto/Authentication/GHash.cpp b/Libraries/LibCrypto/Authentication/GHash.cpp new file mode 100644 index 0000000000..d932ae51f4 --- /dev/null +++ b/Libraries/LibCrypto/Authentication/GHash.cpp @@ -0,0 +1,148 @@ +/* + * Copyright (c) 2020, Ali Mohammad Pur <ali.mpfard@gmail.com> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, this + * list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include <AK/MemoryStream.h> +#include <AK/Types.h> +#include <AK/Vector.h> +#include <LibCrypto/Authentication/GHash.h> +#include <LibCrypto/BigInt/UnsignedBigInteger.h> + +namespace { + +static u32 to_u32(const u8* b) +{ + return AK::convert_between_host_and_big_endian(*(const u32*)b); +} + +static void to_u8s(u8* b, const u32* w) +{ + for (auto i = 0; i < 4; ++i) { + auto& e = *((u32*)(b + i * 4)); + e = AK::convert_between_host_and_big_endian(w[i]); + } +} + +} + +namespace Crypto { +namespace Authentication { + +GHash::TagType GHash::process(ReadonlyBytes aad, ReadonlyBytes cipher) +{ + u32 tag[4] { 0, 0, 0, 0 }; + + auto transform_one = [&](auto& buf) { + size_t i = 0; + for (; i < buf.size(); i += 16) { + if (i + 16 <= buf.size()) { + for (auto j = 0; j < 4; ++j) { + tag[j] ^= to_u32(buf.offset(i + j * 4)); + } + galois_multiply(tag, m_key, tag); + } + } + + if (i > buf.size()) { + static u8 buffer[16]; + Bytes buffer_bytes { buffer, 16 }; + OutputMemoryStream stream { buffer_bytes }; + stream.write(buf.slice(i - 16)); + stream.fill_to_end(0); + + for (auto j = 0; j < 4; ++j) { + tag[j] ^= to_u32(buffer_bytes.offset(j * 4)); + } + galois_multiply(tag, m_key, tag); + } + }; + + transform_one(aad); + transform_one(cipher); + + auto aad_bits = 8 * (u64)aad.size(); + auto cipher_bits = 8 * (u64)cipher.size(); + + auto high = [](u64 value) -> u32 { return value >> 32; }; + auto low = [](u64 value) -> u32 { return value & 0xffffffff; }; + +#ifdef GHASH_PROCESS_DEBUG + dbg() << "AAD bits: " << high(aad_bits) << " : " << low(aad_bits); + dbg() << "Cipher bits: " << high(cipher_bits) << " : " << low(cipher_bits); + + dbg() << "Tag bits: " << tag[0] << " : " << tag[1] << " : " << tag[2] << " : " << tag[3]; +#endif + + tag[0] ^= high(aad_bits); + tag[1] ^= low(aad_bits); + tag[2] ^= high(cipher_bits); + tag[3] ^= low(cipher_bits); + +#ifdef GHASH_PROCESS_DEBUG + dbg() << "Tag bits: " << tag[0] << " : " << tag[1] << " : " << tag[2] << " : " << tag[3]; +#endif + + galois_multiply(tag, m_key, tag); + + TagType digest; + to_u8s(digest.data, tag); + + return digest; +} + +/// Galois Field multiplication using <x^127 + x^7 + x^2 + x + 1>. +/// Note that x, y, and z are strictly BE. +void galois_multiply(u32 (&z)[4], const u32 (&_x)[4], const u32 (&_y)[4]) +{ + u32 x[4] { _x[0], _x[1], _x[2], _x[3] }; + u32 y[4] { _y[0], _y[1], _y[2], _y[3] }; + __builtin_memset(z, 0, sizeof(z)); + + for (ssize_t i = 127; i > -1; --i) { + if ((y[3 - (i / 32)] >> (i % 32)) & 1) { + z[0] ^= x[0]; + z[1] ^= x[1]; + z[2] ^= x[2]; + z[3] ^= x[3]; + } + auto a0 = x[0] & 1; + x[0] >>= 1; + auto a1 = x[1] & 1; + x[1] >>= 1; + x[1] |= a0 << 31; + auto a2 = x[2] & 1; + x[2] >>= 1; + x[2] |= a1 << 31; + auto a3 = x[3] & 1; + x[3] >>= 1; + x[3] |= a2 << 31; + + if (a3) + x[0] ^= 0xe1000000; + } +} + +} +} diff --git a/Libraries/LibCrypto/Authentication/GHash.h b/Libraries/LibCrypto/Authentication/GHash.h new file mode 100644 index 0000000000..7d183e52cf --- /dev/null +++ b/Libraries/LibCrypto/Authentication/GHash.h @@ -0,0 +1,76 @@ +/* + * Copyright (c) 2020, Ali Mohammad Pur <ali.mpfard@gmail.com> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, this + * list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#pragma once + +#include <AK/String.h> +#include <AK/Types.h> +#include <LibCrypto/Hash/HashFunction.h> + +namespace Crypto { +namespace Authentication { + +void galois_multiply(u32 (&z)[4], const u32 (&x)[4], const u32 (&y)[4]); + +struct GHashDigest { + constexpr static size_t Size = 16; + u8 data[Size]; + + const u8* immutable_data() const { return data; } + size_t data_length() { return Size; } +}; + +class GHash final { +public: + using TagType = GHashDigest; + + template<size_t N> + explicit GHash(const char (&key)[N]) + : GHash({ key, N }) + { + } + + explicit GHash(const ReadonlyBytes& key) + { + for (size_t i = 0; i < 16; i += 4) + m_key[i / 4] = AK::convert_between_host_and_big_endian(*(const u32*)(key.offset(i))); + } + + constexpr static size_t digest_size() { return TagType::Size; } + + String class_name() const { return "GHash"; } + + TagType process(ReadonlyBytes aad, ReadonlyBytes cipher); + +private: + inline void transform(ReadonlyBytes, ReadonlyBytes); + + u32 m_key[4]; +}; + +} + +} diff --git a/Libraries/LibCrypto/CMakeLists.txt b/Libraries/LibCrypto/CMakeLists.txt index 01ddd873ae..bda4aa5d20 100644 --- a/Libraries/LibCrypto/CMakeLists.txt +++ b/Libraries/LibCrypto/CMakeLists.txt @@ -1,4 +1,5 @@ set(SOURCES + Authentication/GHash.cpp BigInt/SignedBigInteger.cpp BigInt/UnsignedBigInteger.cpp Checksum/Adler32.cpp diff --git a/Libraries/LibCrypto/Cipher/AES.h b/Libraries/LibCrypto/Cipher/AES.h index cb9649f397..70b9f88827 100644 --- a/Libraries/LibCrypto/Cipher/AES.h +++ b/Libraries/LibCrypto/Cipher/AES.h @@ -31,6 +31,7 @@ #include <LibCrypto/Cipher/Cipher.h> #include <LibCrypto/Cipher/Mode/CBC.h> #include <LibCrypto/Cipher/Mode/CTR.h> +#include <LibCrypto/Cipher/Mode/GCM.h> namespace Crypto { namespace Cipher { @@ -53,6 +54,7 @@ public: virtual ByteBuffer get() const override { return m_data; }; virtual const ByteBuffer& data() const override { return m_data; }; + ReadonlyBytes bytes() const { return m_data; } virtual void overwrite(ReadonlyBytes) override; virtual void overwrite(const ByteBuffer& buffer) override { overwrite(buffer.bytes()); } @@ -113,6 +115,7 @@ class AESCipher final : public Cipher<AESCipherKey, AESCipherBlock> { public: using CBCMode = CBC<AESCipher>; using CTRMode = CTR<AESCipher>; + using GCMMode = GCM<AESCipher>; constexpr static size_t BlockSizeInBits = BlockType::BlockSizeInBits; diff --git a/Libraries/LibCrypto/Cipher/Mode/GCM.h b/Libraries/LibCrypto/Cipher/Mode/GCM.h new file mode 100644 index 0000000000..2e6f16f87e --- /dev/null +++ b/Libraries/LibCrypto/Cipher/Mode/GCM.h @@ -0,0 +1,154 @@ +/* + * Copyright (c) 2020, Ali Mohammad Pur <ali.mpfard@gmail.com> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, this + * list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#pragma once + +#include <AK/OwnPtr.h> +#include <AK/String.h> +#include <AK/StringBuilder.h> +#include <AK/StringView.h> +#include <LibCrypto/Authentication/GHash.h> +#include <LibCrypto/Cipher/Mode/CTR.h> +#include <LibCrypto/Verification.h> + +namespace Crypto { +namespace Cipher { + +using IncrementFunction = IncrementInplace; + +template<typename T> +class GCM : public CTR<T, IncrementFunction> { +public: + constexpr static size_t IVSizeInBits = 128; + + virtual ~GCM() { } + + template<typename... Args> + explicit constexpr GCM<T>(Args... args) + : CTR<T>(args...) + { + static_assert(T::BlockSizeInBits == 128u, "GCM Mode is only available for 128-bit Ciphers"); + + __builtin_memset(m_auth_key_storage, 0, block_size); + typename T::BlockType key_block(m_auth_key_storage, block_size); + this->cipher().encrypt_block(key_block, key_block); + key_block.bytes().copy_to(m_auth_key); + + m_ghash = make<Authentication::GHash>(m_auth_key); + } + + virtual String class_name() const override + { + StringBuilder builder; + builder.append(this->cipher().class_name()); + builder.append("_GCM"); + return builder.build(); + } + + virtual size_t IV_length() const override { return IVSizeInBits / 8; } + + // FIXME: This overload throws away the auth stuff, think up a better way to return more than a single bytebuffer. + virtual void encrypt(const ReadonlyBytes& in, Bytes& out, const Bytes& ivec = {}, Bytes* = nullptr) override + { + ASSERT(!ivec.is_empty()); + + static ByteBuffer dummy; + + encrypt(in, out, ivec, dummy, dummy); + } + virtual void decrypt(const ReadonlyBytes& in, Bytes& out, const Bytes& ivec = {}) override + { + encrypt(in, out, ivec); + } + + void encrypt(const ReadonlyBytes& in, Bytes out, const ReadonlyBytes& iv_in, const ReadonlyBytes& aad, Bytes tag) + { + auto iv_buf = ByteBuffer::copy(iv_in.data(), iv_in.size()); + auto iv = iv_buf.bytes(); + + // Increment the IV for block 0 + CTR<T>::increment(iv); + typename T::BlockType block0; + block0.overwrite(iv); + this->cipher().encrypt_block(block0, block0); + + // Skip past block 0 + CTR<T>::increment(iv); + + if (in.is_empty()) + CTR<T>::key_stream(out, iv); + else + CTR<T>::encrypt(in, out, iv); + + auto auth_tag = m_ghash->process(aad, out); + block0.apply_initialization_vector(auth_tag.data); + block0.get().bytes().copy_to(tag); + } + + VerificationConsistency decrypt(const ReadonlyBytes& in, Bytes out, const ReadonlyBytes& iv_in, const ReadonlyBytes& aad, const ReadonlyBytes& tag) + { + auto iv_buf = ByteBuffer::copy(iv_in.data(), iv_in.size()); + auto iv = iv_buf.bytes(); + + // Increment the IV for block 0 + CTR<T>::increment(iv); + typename T::BlockType block0; + block0.overwrite(iv); + this->cipher().encrypt_block(block0, block0); + + // Skip past block 0 + CTR<T>::increment(iv); + + auto auth_tag = m_ghash->process(aad, in); + block0.apply_initialization_vector(auth_tag.data); + + auto test_consistency = [&] { + if (block0.block_size() != tag.size() || __builtin_memcmp(block0.bytes().data(), tag.data(), tag.size()) != 0) + return VerificationConsistency::Inconsistent; + + return VerificationConsistency::Consistent; + }; + // FIXME: This block needs constant-time comparisons. + + if (in.is_empty()) { + out = {}; + return test_consistency(); + } + + CTR<T>::encrypt(in, out, iv); + return test_consistency(); + } + +private: + static constexpr auto block_size = T::BlockType::BlockSizeInBits / 8; + u8 m_auth_key_storage[block_size]; + Bytes m_auth_key { m_auth_key_storage, block_size }; + OwnPtr<Authentication::GHash> m_ghash; +}; + +} + +} diff --git a/Userland/test-crypto.cpp b/Userland/test-crypto.cpp index dd78cd3409..d2d2adc2ba 100644 --- a/Userland/test-crypto.cpp +++ b/Userland/test-crypto.cpp @@ -29,6 +29,7 @@ #include <LibCore/ConfigFile.h> #include <LibCore/EventLoop.h> #include <LibCore/File.h> +#include <LibCrypto/Authentication/GHash.h> #include <LibCrypto/Authentication/HMAC.h> #include <LibCrypto/BigInt/SignedBigInteger.h> #include <LibCrypto/BigInt/UnsignedBigInteger.h> @@ -75,6 +76,7 @@ static Vector<Certificate> s_root_ca_certificates; // Cipher static int aes_cbc_tests(); static int aes_ctr_tests(); +static int aes_gcm_tests(); // Hash static int md5_tests(); @@ -87,6 +89,7 @@ static int hmac_md5_tests(); static int hmac_sha256_tests(); static int hmac_sha512_tests(); static int hmac_sha1_tests(); +static int ghash_tests(); // Public-Key static int rsa_tests(); @@ -409,6 +412,10 @@ auto main(int argc, char** argv) -> int if (run_tests) return hmac_sha1_tests(); } + if (suite_sv == "GHash") { + if (run_tests) + return ghash_tests(); + } printf("unknown hash function '%s'\n", suite); return 1; } @@ -439,10 +446,12 @@ auto main(int argc, char** argv) -> int encrypting = true; aes_cbc_tests(); aes_ctr_tests(); + aes_gcm_tests(); encrypting = false; aes_cbc_tests(); aes_ctr_tests(); + aes_gcm_tests(); md5_tests(); sha1_tests(); @@ -454,6 +463,8 @@ auto main(int argc, char** argv) -> int hmac_sha512_tests(); hmac_sha1_tests(); + ghash_tests(); + rsa_tests(); if (!in_ci) { @@ -496,6 +507,12 @@ auto main(int argc, char** argv) -> int return 1; } return run(aes_cbc); + } + if (StringView(suite) == "AES_GCM") { + if (run_tests) + return aes_gcm_tests(); + + return 1; } else { printf("Unknown cipher suite '%s'\n", suite); return 1; @@ -545,6 +562,9 @@ static void aes_cbc_test_decrypt(); static void aes_ctr_test_name(); static void aes_ctr_test_encrypt(); static void aes_ctr_test_decrypt(); +static void aes_gcm_test_name(); +static void aes_gcm_test_encrypt(); +static void aes_gcm_test_decrypt(); static void md5_test_name(); static void md5_test_hash(); @@ -559,6 +579,9 @@ static void sha256_test_hash(); static void sha512_test_name(); static void sha512_test_hash(); +static void ghash_test_name(); +static void ghash_test_process(); + static void hmac_md5_test_name(); static void hmac_md5_test_process(); @@ -993,6 +1016,207 @@ static void aes_ctr_test_decrypt() // If encryption works, then decryption works, too. } +static int aes_gcm_tests() +{ + aes_gcm_test_name(); + if (encrypting) { + aes_gcm_test_encrypt(); + } else { + aes_gcm_test_decrypt(); + } + + return g_some_test_failed ? 1 : 0; +} + +static void aes_gcm_test_name() +{ + I_TEST((AES GCM class name)); + Crypto::Cipher::AESCipher::GCMMode cipher("WellHelloFriends"_b, 128, Crypto::Cipher::Intent::Encryption); + if (cipher.class_name() != "AES_GCM") + FAIL(Invalid class name); + else + PASS; +} + +static void aes_gcm_test_encrypt() +{ + { + I_TEST((AES GCM Encrypt | Empty)); + Crypto::Cipher::AESCipher::GCMMode cipher("\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"_b, 128, Crypto::Cipher::Intent::Encryption); + u8 result_tag[] { 0x58, 0xe2, 0xfc, 0xce, 0xfa, 0x7e, 0x30, 0x61, 0x36, 0x7f, 0x1d, 0x57, 0xa4, 0xe7, 0x45, 0x5a }; + Bytes out; + auto tag = ByteBuffer::create_uninitialized(16); + cipher.encrypt({}, out, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"_b.bytes(), {}, tag); + if (memcmp(result_tag, tag.data(), tag.size()) != 0) { + FAIL(Invalid auth tag); + print_buffer(tag, -1); + } else + PASS; + } + { + I_TEST((AES GCM Encrypt | Zeros)); + Crypto::Cipher::AESCipher::GCMMode cipher("\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"_b, 128, Crypto::Cipher::Intent::Encryption); + u8 result_tag[] { 0xab, 0x6e, 0x47, 0xd4, 0x2c, 0xec, 0x13, 0xbd, 0xf5, 0x3a, 0x67, 0xb2, 0x12, 0x57, 0xbd, 0xdf }; + u8 result_ct[] { 0x03, 0x88, 0xda, 0xce, 0x60, 0xb6, 0xa3, 0x92, 0xf3, 0x28, 0xc2, 0xb9, 0x71, 0xb2, 0xfe, 0x78 }; + auto tag = ByteBuffer::create_uninitialized(16); + auto out = ByteBuffer::create_uninitialized(16); + auto out_bytes = out.bytes(); + cipher.encrypt("\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"_b.bytes(), out_bytes, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"_b.bytes(), {}, tag); + if (memcmp(result_ct, out.data(), out.size()) != 0) { + FAIL(Invalid ciphertext); + print_buffer(out, -1); + } else if (memcmp(result_tag, tag.data(), tag.size()) != 0) { + FAIL(Invalid auth tag); + print_buffer(tag, -1); + } else + PASS; + } + { + I_TEST((AES GCM Encrypt | Multiple Blocks With IV)); + Crypto::Cipher::AESCipher::GCMMode cipher("\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"_b, 128, Crypto::Cipher::Intent::Encryption); + u8 result_tag[] { 0x4d, 0x5c, 0x2a, 0xf3, 0x27, 0xcd, 0x64, 0xa6, 0x2c, 0xf3, 0x5a, 0xbd, 0x2b, 0xa6, 0xfa, 0xb4 }; + u8 result_ct[] { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24, 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c, 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0, 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e, 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c, 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05, 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97, 0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85 }; + auto tag = ByteBuffer::create_uninitialized(16); + auto out = ByteBuffer::create_uninitialized(64); + auto out_bytes = out.bytes(); + cipher.encrypt( + "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39\x1a\xaf\xd2\x55"_b.bytes(), + out_bytes, + "\xca\xfe\xba\xbe\xfa\xce\xdb\xad\xde\xca\xf8\x88\x00\x00\x00\x00"_b.bytes(), + {}, + tag); + if (memcmp(result_ct, out.data(), out.size()) != 0) { + FAIL(Invalid ciphertext); + print_buffer(out, -1); + } else if (memcmp(result_tag, tag.data(), tag.size()) != 0) { + FAIL(Invalid auth tag); + print_buffer(tag, -1); + } else + PASS; + } + { + I_TEST((AES GCM Encrypt | With AAD)); + Crypto::Cipher::AESCipher::GCMMode cipher("\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"_b, 128, Crypto::Cipher::Intent::Encryption); + u8 result_tag[] { 0x93, 0xae, 0x16, 0x97, 0x49, 0xa3, 0xbf, 0x39, 0x4f, 0x61, 0xb7, 0xc1, 0xb1, 0x2, 0x4f, 0x60 }; + u8 result_ct[] { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24, 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c, 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0, 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e, 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c, 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05, 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97, 0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85 }; + auto tag = ByteBuffer::create_uninitialized(16); + auto out = ByteBuffer::create_uninitialized(64); + auto out_bytes = out.bytes(); + cipher.encrypt( + "\xd9\x31\x32\x25\xf8\x84\x06\xe5\xa5\x59\x09\xc5\xaf\xf5\x26\x9a\x86\xa7\xa9\x53\x15\x34\xf7\xda\x2e\x4c\x30\x3d\x8a\x31\x8a\x72\x1c\x3c\x0c\x95\x95\x68\x09\x53\x2f\xcf\x0e\x24\x49\xa6\xb5\x25\xb1\x6a\xed\xf5\xaa\x0d\xe6\x57\xba\x63\x7b\x39\x1a\xaf\xd2\x55"_b.bytes(), + out_bytes, + "\xca\xfe\xba\xbe\xfa\xce\xdb\xad\xde\xca\xf8\x88\x00\x00\x00\x00"_b.bytes(), + "\xde\xad\xbe\xef\xfa\xaf\x11\xcc"_b.bytes(), + tag); + if (memcmp(result_ct, out.data(), out.size()) != 0) { + FAIL(Invalid ciphertext); + print_buffer(out, -1); + } else if (memcmp(result_tag, tag.data(), tag.size()) != 0) { + FAIL(Invalid auth tag); + print_buffer(tag, -1); + } else + PASS; + } +} + +static void aes_gcm_test_decrypt() +{ + { + I_TEST((AES GCM Decrypt | Empty)); + Crypto::Cipher::AESCipher::GCMMode cipher("\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"_b, 128, Crypto::Cipher::Intent::Encryption); + u8 input_tag[] { 0x58, 0xe2, 0xfc, 0xce, 0xfa, 0x7e, 0x30, 0x61, 0x36, 0x7f, 0x1d, 0x57, 0xa4, 0xe7, 0x45, 0x5a }; + Bytes out; + auto consistency = cipher.decrypt({}, out, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"_b.bytes(), {}, { input_tag, 16 }); + if (consistency != Crypto::VerificationConsistency::Consistent) { + FAIL(Verification reported inconsistent); + } else if (out.size() != 0) { + FAIL(Invalid plain text); + } else + PASS; + } + { + I_TEST((AES GCM Decrypt | Zeros)); + Crypto::Cipher::AESCipher::GCMMode cipher("\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"_b, 128, Crypto::Cipher::Intent::Encryption); + u8 input_tag[] { 0xab, 0x6e, 0x47, 0xd4, 0x2c, 0xec, 0x13, 0xbd, 0xf5, 0x3a, 0x67, 0xb2, 0x12, 0x57, 0xbd, 0xdf }; + u8 input_ct[] { 0x03, 0x88, 0xda, 0xce, 0x60, 0xb6, 0xa3, 0x92, 0xf3, 0x28, 0xc2, 0xb9, 0x71, 0xb2, 0xfe, 0x78 }; + u8 result_pt[] { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; + auto out = ByteBuffer::create_uninitialized(16); + auto out_bytes = out.bytes(); + auto consistency = cipher.decrypt({ input_ct, 16 }, out_bytes, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"_b.bytes(), {}, { input_tag, 16 }); + if (consistency != Crypto::VerificationConsistency::Consistent) { + FAIL(Verification reported inconsistent); + } else if (memcmp(result_pt, out.data(), out.size()) != 0) { + FAIL(Invalid plaintext); + print_buffer(out, -1); + } else + PASS; + } + { + I_TEST((AES GCM Decrypt | Multiple Blocks With IV)); + Crypto::Cipher::AESCipher::GCMMode cipher("\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"_b, 128, Crypto::Cipher::Intent::Encryption); + u8 input_tag[] { 0x4d, 0x5c, 0x2a, 0xf3, 0x27, 0xcd, 0x64, 0xa6, 0x2c, 0xf3, 0x5a, 0xbd, 0x2b, 0xa6, 0xfa, 0xb4 }; + u8 input_ct[] { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24, 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c, 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0, 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e, 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c, 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05, 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97, 0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85 }; + u8 result_pt[] { 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5, 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a, 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda, 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72, 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53, 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25, 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57, 0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55 }; + auto out = ByteBuffer::create_uninitialized(64); + auto out_bytes = out.bytes(); + + auto consistency = cipher.decrypt( + { input_ct, 64 }, + out_bytes, + "\xca\xfe\xba\xbe\xfa\xce\xdb\xad\xde\xca\xf8\x88\x00\x00\x00\x00"_b.bytes(), + {}, + { input_tag, 16 }); + if (memcmp(result_pt, out.data(), out.size()) != 0) { + FAIL(Invalid plaintext); + print_buffer(out, -1); + } else if (consistency != Crypto::VerificationConsistency::Consistent) { + FAIL(Verification reported inconsistent); + } else + PASS; + } + { + I_TEST((AES GCM Decrypt | With AAD)); + Crypto::Cipher::AESCipher::GCMMode cipher("\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"_b, 128, Crypto::Cipher::Intent::Encryption); + u8 input_tag[] { 0x93, 0xae, 0x16, 0x97, 0x49, 0xa3, 0xbf, 0x39, 0x4f, 0x61, 0xb7, 0xc1, 0xb1, 0x2, 0x4f, 0x60 }; + u8 input_ct[] { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24, 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c, 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0, 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e, 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c, 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05, 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97, 0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85 }; + u8 result_pt[] { 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5, 0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a, 0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda, 0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72, 0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53, 0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25, 0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57, 0xba, 0x63, 0x7b, 0x39, 0x1a, 0xaf, 0xd2, 0x55 }; + auto out = ByteBuffer::create_uninitialized(64); + auto out_bytes = out.bytes(); + auto consistency = cipher.decrypt( + { input_ct, 64 }, + out_bytes, + "\xca\xfe\xba\xbe\xfa\xce\xdb\xad\xde\xca\xf8\x88\x00\x00\x00\x00"_b.bytes(), + "\xde\xad\xbe\xef\xfa\xaf\x11\xcc"_b.bytes(), + { input_tag, 16 }); + if (memcmp(result_pt, out.data(), out.size()) != 0) { + FAIL(Invalid plaintext); + print_buffer(out, -1); + } else if (consistency != Crypto::VerificationConsistency::Consistent) { + FAIL(Verification reported inconsistent); + } else + PASS; + } + { + I_TEST((AES GCM Decrypt | With AAD - Invalid Tag)); + Crypto::Cipher::AESCipher::GCMMode cipher("\xfe\xff\xe9\x92\x86\x65\x73\x1c\x6d\x6a\x8f\x94\x67\x30\x83\x08"_b, 128, Crypto::Cipher::Intent::Encryption); + u8 input_tag[] { 0x94, 0xae, 0x16, 0x97, 0x49, 0xa3, 0xbf, 0x39, 0x4f, 0x61, 0xb7, 0xc1, 0xb1, 0x2, 0x4f, 0x60 }; + u8 input_ct[] { 0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24, 0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c, 0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0, 0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e, 0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c, 0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05, 0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97, 0x3d, 0x58, 0xe0, 0x91, 0x47, 0x3f, 0x59, 0x85 }; + auto out = ByteBuffer::create_uninitialized(64); + auto out_bytes = out.bytes(); + auto consistency = cipher.decrypt( + { input_ct, 64 }, + out_bytes, + "\xca\xfe\xba\xbe\xfa\xce\xdb\xad\xde\xca\xf8\x88\x00\x00\x00\x00"_b.bytes(), + "\xde\xad\xbe\xef\xfa\xaf\x11\xcc"_b.bytes(), + { input_tag, 16 }); + + if (consistency != Crypto::VerificationConsistency::Inconsistent) + FAIL(Verification reported consistent); + else + PASS; + } +} + static int md5_tests() { md5_test_name(); @@ -1193,6 +1417,23 @@ static void hmac_md5_test_process() } } +static int ghash_tests() +{ + ghash_test_name(); + ghash_test_process(); + return g_some_test_failed ? 1 : 0; +} + +static void ghash_test_name() +{ + I_TEST((GHash class name)); + Crypto::Authentication::GHash ghash("WellHelloFriends"); + if (ghash.class_name() != "GHash") + FAIL(Invalid class name); + else + PASS; +} + static void hmac_sha1_test_name() { I_TEST((HMAC - SHA1 | Class name)); @@ -1244,6 +1485,40 @@ static void hmac_sha1_test_process() } } +static void ghash_test_process() +{ + { + I_TEST((GHash | Galois Field Multiply)); + u32 x[4] { 0x42831ec2, 0x21777424, 0x4b7221b7, 0x84d0d49c }, + y[4] { 0xb83b5337, 0x08bf535d, 0x0aa6e529, 0x80d53b78 }, z[4] { 0, 0, 0, 0 }; + static constexpr u32 result[4] { 0x59ed3f2b, 0xb1a0aaa0, 0x7c9f56c6, 0xa504647b }; + + Crypto::Authentication::galois_multiply(z, x, y); + if (memcmp(result, z, 4 * sizeof(u32)) != 0) { + FAIL(Invalid multiply value); + print_buffer({ z, 4 * sizeof(u32) }, -1); + print_buffer({ result, 4 * sizeof(u32) }, -1); + } else + PASS; + } + { + I_TEST((GHash | Galois Field Multiply #2)); + u32 x[4] { 59300558, 1622582162, 4079534777, 1907555960 }, + y[4] { 1726565332, 4018809915, 2286746201, 3392416558 }, z[4]; + constexpr static u32 result[4] { 1580123974, 2440061576, 746958952, 1398005431 }; + + Crypto::Authentication::galois_multiply(z, x, y); + if (memcmp(result, z, 4 * sizeof(u32)) != 0) { + FAIL(Invalid multiply value); + print_buffer({ z, 4 * sizeof(u32) }, -1); + print_buffer({ result, 4 * sizeof(u32) }, -1); + } else + PASS; + } + // TODO: Add some GHash tests? + // Kinda hard, as there are no vectors and existing tools don't have an interface to it. +} + static int sha1_tests() { sha1_test_name(); |